Method and system for secure, decentralized personalization of smart cards

ABSTRACT

A method and apparatus for securely writing confidential data from an issuerer to a customer smart card at a remote location includes, establishing a communication link between a retailer data terminal device at the remote location and the issuer&#39;s secure computer. A communication link is established between a secure terminal device, which includes a smart card reader/writer, and the data terminal device. The retailer is authenticated to the issuer and the issuer to the retailer by means of a retailer smart card presented to the secure terminal device. A session key is established for enciphering data traffic between the secure terminal device and the issuer&#39;s computer using the retailer smart card. The customer smart card is presented to the secure terminal device. Confidential customer data is enciphered using the session key and it is written from the issuer&#39;s computer to the customer smart card.

TECHNICAL FIELD

This invention concerns a method for securely writing confidential datato smart cards in remote, insecure locations. In a second aspect theinvention concerns a system for securely writing the confidential data.Smart Cards are used as a highly-secure means of storing data in aportable form. They are of particular use, for example, in cryptographicapplications for the storage of cipher keys.

BACKGROUND OF THE INVENTION

When a smart card is manufactured, the manufacturer `burns in` a uniqueidentifying serial number. In addition the manufacturer installs amanufacturer's `Master` Secret Code.

The card and the Master Secret Code are subsequently conveyed to theIssuer by separate means. Upon receipt by the Issuer the card isaccessed by presenting the Master Secret Code and that code is thenchanged to a fresh `Issuer` Secret Code not known to the manufacturer.One or more User Secret Codes are then stored in the card and used toprotect access to confidential user data. Initial user data may then bestored in the card. The card and the User Secret Code(s) are ultimatelyconveyed to a user by separate means, and the appropriate User SecretCode(s) must be correctly presented to the smart card by the user,before access to the card is allowed.

The process of presentation of the Master Secret Code, storage of theIssuer Secret Code, storage of the User Secret Codes, and initialstorage of user data, is commonly called Personalisation, and istraditionally done in a secure "Personalisation Centre" by the Issuer.This approach is costly, time-consuming and relatively insecure.

SUMMARY OF THE INVENTION

According to the present invention, as currently envisaged, there isprovided a method for securely writing confidential data from an Issuerto a customer smart card at a remote location, comprising the steps of:

establishing a communications link between a retailer data terminaldevice at the remote location and the Issuer's secure computer;

establishing a communications link between a secure terminal device,which includes a smart card reader/writer, and the data terminal device;

authenticating the retailer to the Issuer and the Issuer to theretailer, by means of a retailer smart card presented to the secureterminal device;

establishing a session key for enciphering data traffic between thesecure terminal device and the Issuer's computer, using the retailersmart card;

presenting the customer smart card to the secure terminal device; then

enciphering the confidential data under the session key and writing itfrom the Issuer's computer to the customer smart card.

Preferably the method includes the step of establishing a second sessionkey for enciphering data traffic between the data terminal device andthe Issuer's computer.

Preferably the retailer is authenticated to the Issuer by entering aretailer secret code which is checked by the retailer smart card, then acipher key is read from the retailer smart card to the secure terminaldevice and checked by a challenge sent by the Issuer. Optionally theIssuer is subsequently authenticated to the retailer using a cipher keywhich is read from the retailer smart card to the secure terminal deviceand used to challenge the Issuer.

Preferably the session keys are established by using a cipher key toencrypt the combined product of two random numbers, one of which wasgenerated by the first party and sent to the second party, the other ofwhich was generated by the second party and sent to the first party.

Advantageously the confidential data is an Issuer Secret Code present inthe customer smart card to prevent access to the card, and required toopen the card to accept data.

Preferably the confidential data comprises a directory and filestructures, and data.

According to a further aspect of the invention, as currently envisaged,there is provided a system for securely writing confidential data froman Issuer to a customer smart card in a remote location, comprising:

the Issuer's secure computer;

a retailer data terminal device at the remote location selectively incommunication with the computer by means of a communications link;

a secure terminal device at the remote location, including a smart cardreader/writer, selectively in communication with the computer via thedata terminal device;

a retailer smart card containing the data required to authenticate theretailer to the Issuer and the Issuer to the retailer, and the datarequired to establish a session key for enciphering traffic between thesecure terminal device and the Issuer's computer;

a customer smart card able to accept the confidential data, whenpresented to the secure terminal device, written from the computerenciphered under the session key.

Preferably the retailer smart card also contains the data required toestablish a second session key for enciphering traffic between the dataterminal device and the Issuer's computer.

Preferably the confidential data is an Issuer Secret Code, present inthe customer smart card to prevent access to the card, and required toopen the card to accept data.

This method and system permit personalisation of the smart card at alocation convenient to the customer, such as the point of sale of theitem, or service, with which the smart card is subsequently to be used.Such locations are unlikely to be secure, may be widely dispersed fromany central administrative centre, and may be operated by staff who donot work for the Card Issuer. Furthermore the method provides adecentralised personalisation service in a manner that ensures thesecurity of all confidential data transferred between components of thesystem.

As smart cards are used more widely in mass consumer applications suchas mobile telephony and Pay TV, the high volume of smart cards issued,and the widely dispersed customer population will make decentralisedpersonalisation highly cost-effective and competitive.

Once the infrastructure for a decentralised personalisation system is inplace, it can be used for securely loading data other thanpersonalisation data into previously personalised smart cards.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a schematic diagram showing the relationships between thecomponents of a system according to the invention.

FIG. 2 is a schematic flow chart showing the steps of the method ofwriting confidential information from an issuer's secure computer to acustomer smart card at a remote location up to authentication of theretailer;

FIG. 3 is a schematic flow chart showing the steps of the method ofwriting confidential information from an issuer's secure computer to acustomer smart card at a remote location up to enciphered data transferbetween the customer smart card and the secure computer; and

FIG. 4 is a block diagram of the secure terminal device STE7.

DESCRIPTION OF THE PREFERRED EMBODIMENT

Method and system 1 involve the interaction of three entities:

The Issuer 2 is the organisation which ultimately provides the goods orservices that are obtained through the use of the customer smart card.It is responsible for the system as a whole, for the purchase of smartcards, and for their supply to Retailers. This organisation could be thecentral office of a bank, or a telecommunications operator, for example.

The Retailer 3 is the institution which represents the Issuer 2 in aparticular local area. It could be a bank branch, or a newsagent, forexample.

The Customer 4 is the end-user of the service, and the holder of thesmart card that gives access to that service.

The elements involved in the process of decentralised personalisationare:

A Central Administration System 5 (ADS).

A computer system in a secure location that is equipped to communicateby telecommunications links with the other, remotely sited, componentsof the system. These links are assumed to be insecure. The system 5 alsoincludes a secure database of Retailer Keys.

A Data Terminal Device 6 (DTD).

A small computer system (such as a Personal Computer) located in theRetailer's premises. It is equipped to communicate, by atelecommunications link, with the Central Administration System. Thissystem is not considered to be secure by the Issuer.

A Secure Terminal Device 7 (STE).

A tamper-resistant, programmable device comprising a numeric andfunction keypad, a display, and a smart card reader/writer. Itcommunicates with the Data Terminal device 6 by a serial communicationslink.

FIG. 4 is a block diagram of the secure terminal device STE7. Thatdevice includes a tamper-resistant programmable device 90 which in turnreceives information from a key pad 92, displays information on adisplay 94 and is coupled to a smart card read/writer 96. Itcommunicates with a data terminal device DTE6 via a serialcommunications link.

Smart Cards or Integrated Circuit Cards (ICC).

These are read and written to by the Secure Terminal device. Twocategories of smart card are used within the system:

Retailer Cards 8

Each Retailer is issued with one Retailer Card, which has already beensecurely personalised by the Issuer. It contains the data required togain access to, and use, the system. This data is protected from accessby several Secret Codes, some known only to the Retailer, and some knownonly to the Central Administration System.

Customer Smart Cards 9

These are the smart cards that will be issued by the Retailer 3 to hisCustomers 4. They are held in stock in an unpersonalised state, exactlyas they were shipped from the card manufacturer.

The operation of the method and system will be described by analysingeach phase in the personalisation of a Customer smart card from theperspective of the Retailer. These phases are identified as:

Session Establishment;

Personalisation of Customer Smart Card;

Session Termination;

Modification of Data on Customer Smart Cards.

In general, there are several different operations involved in eachphase.

Session Establishment

1) Retailer System Startup

On startup, the Data Terminal device sets up a communications link withthe Central Administration System. This link is used for all futurecommunications between the Central Administration System and the DataTerminal device.

2) Retailer Sign-On

Once the communications link is established, the Retailer is prompted toinsert his Retailer Card in the Secure Terminal device. The Retailer isthen prompted by the Secure Terminal device to enter his personal SecretCode which is passed directly to the smart card for checking.

3) Retailer Authentication

If the check of the Retailer's Secret Code succeeds, the Secure Terminaldevice reads a unique unprotected, read-only serial number from thesmart card, and sends it to the Central Administration System via theData Terminal device. Thus the Administration System knows which smartcard is in use.

The Secure Terminal device then reads a unique cipher key out of a fileon the smart card which was set up during personalisation so that it canonly be read after the Retailer's Secret Code has been correctlypresented.

The Central Administration. System then sends a random number (achallenge) to the Secure Terminal device, via the Data Terminal device.The Secure Terminal device enciphers the challenge using the cipher keyread from the smart card and sends the result (the response) back to theCentral Administration System. Since the Central Administration Systemmaintains a record of the keys held on every Retailer Card issued, it isable to validate the response by also enciphering the random numberchallenge using the same cipher key, and comparing the result with theresponse received from the Secure Terminal device. If the two values areidentical, the Retailer has successfully authenticated himself to theCentral Administrative System.

With respect to FIG. 2, a retailer small card C1 is inserted into thesecure terminal device. In a step 20, the retailer enters a personalsecurity code which in a step 22 is compared to a secret code read fromthe retailer card C1 in a step 24. If the codes do not correspond, theterminal rejects the card C1 in a step 26. If the two codes docorrespond, the terminal issues an unlock command in a step 28 and readsa unique, unprotected, read-only serial number from the card C1 in astep 30 and transmits that number to the issuer's secure computer. In astep 32 the issuer's secure computer retrieves a cipher key 34associated with the serial number of the card C1 and in a random numbergenerator 36 generates a random number RN1. The random number RN1 isthen enciphered in a step 38. The random number RN1 is also transmittedto the secure terminal device and is enciphered in a step 40 using acipher key 42 carried by the smart card C1. The enciphered output fromthe secure terminal device is then transmitted back to the securecomputer and compared in a step 44 to the output of the localenciphering step 38. If there is no match, the transaction will berejected in a step 46. If there is a match, the retailer will beauthenticated in a step 48.

4) Issuer Authentication

Authentication of the Retailer only provides part of the securityneeded. It is equally important to ensure that the CentralAdministration System is authentic. This is achieved by performing anenciphered challenge-response in the reverse direction using a randomdata challenge generated within the Secure Terminal device, and using akey read from the Retailer Card. If the Central Administration System isauthentic, it will also have a record of this key, and will be able toencipher the challenge and send back the correct response.

5) Establishment of Session Keys

Once both the Central Administration System and the Retailer System haveauthenticated each other, they can mutually establish session keys forenciphering future data traffic between them. This is done by one partysending the other a random number. Both parties then combine these twonumbers together (for example, by exclusive ORing them) and encipher theresult, using a key known only to them, to produce a new number--theSession Key. Future data traffic can then be enciphered using thissession key. Whenever the session is terminated, and a new one started,new random numbers are used, resulting in a new session key.

Two session keys are required for securing communication between thedifferent components of the system, one 10 between the Secure Terminaldevice 7 and the Central Administration System 5 and a second, optional,key 11 between the Data Terminal device 6 and the Central AdministrationSystem 5. By using different session keys, tight security can bemaintained because intermediate parties in an exchange of messagesbetween two parties are not privy to the contents of the messages theyare simply passing on.

6) Collection and Transmission of Customer Details

The Retailer may now obtain from the Customer any personal data requiredby the Central Administration System before personalisation of aCustomer smart card can proceed. This data may be entered into the DataTerminal device, enciphered under the Data Terminal device-CentralAdministration System session key 11 (to protect the confidentiality ofthe Customer data in transit over the link), and sent to the CentralAdministration System.

7) Assessment of Customer Data

If appropriate, the Central Administration System now checks theCustomer data (for example, runs a credit check), and determines whetheror not personalisation of a Customer smart card may proceed. Thedecision is communicated to the Retailer via the Data Terminal device.

Personalisation of Customer smart card

8) Selection of Customer smart card

If the Central Administration System allows personalisation to proceed,the Retailer removes his Retailer Card from the Secure Terminal device,selects a smart card from stock, and inserts it in the Secure Terminaldevice. The identity of the smart card is then communicated to theCentral Administration System, either by the Retailer enteringidentifying information into the Data Terminal device, or by the SecureTerminal device reading a Serial Number out of the smart card andsending it to the Central Administration System.

9) Presentation of Manufacturer's Master Secret Code

At this stage, the smart card is protected from general access by aunique Master Secret Code written into it by the manufacturer. Themethod by which the Master Secret Code can be computed for any smartcard in a batch will have been separately communicated to the CardIssuer. In order to gain access to the smart card, its Master SecretCode must be presented and this is done by computing the Master SecretCode in the Central Administration System then sending it to the SecureTerminal device, enciphered under the Central AdministrationSystem-Secure Terminal device session key 10. In the Secure. Terminaldevice, it is deciphered and presented to the smart card. This has theeffect of opening up the smart card for further accesses.

10) Smart Card Set Up

Once the smart card has been "opened" by presentation of the MasterSecret Code, it can be set up to meet the Customer's and Issuer'srequirements. This involves creating various data structures on thesmart card, and writing appropriate data to them, and to other locationson the smart card. All instructions on the manner in which the smartcard is to be set up are sent from the Central Administration Systemenciphered under the Central Administration System-Secure Terminaldevice session key 10. Similarly, all data written to the smart card aresent from the Central Administration System enciphered under the CentralAdministration System-Secure Terminal device session key 10.

11) Entry of Customer Secret Code

At this point, the Customer may be required to enter the Secret Code hewill subsequently use to protect access to his personal data held on thesmart card. He is prompted on the Secure Terminal device display toenter his Customer Secret Code, and does so using the Secure Terminaldevice's keypad. This ensures that nobody else, not even the Retailer,knows his Secret Code, The entered Secret Code is written to the smartcard where it is securely stored to be used by the smart cardmicroprocessor to validate future presentations of the Customer SecretCode.

With respect to FIG. 3, the issuer is first authenticated. In a step 52,at the issuer's secure computer, a cipher key associated with the serialnumber which had been previously received in step 32, is determined. Theassociated cipher key is retrieved in a step 52. The secure terminaldevice in a step 54 uses a random number generator to generate a randomnumber RN2. This random number is transmitted to the issuer's securecomputer and enciphered in a step 56. It is also enciphered at thesecure terminal device in a step 58. The issuer's secure computertransmits the enciphered result from the step 56 to the secure terminaldevice which compares in a step 60 that received enciphered result tothe locally generated enciphered result, from the step 58. If there isno match, the attempt at authentication of the issuer is rejected in astep 62. In the event in a step 60 the two enciphered codes match, in astep 64, the terminal authenticates the issuer. Once the issuer's securecomputer has been authenticated at the secure terminal device, a sessionkey can be established. A random number generator 70, at the issuer'ssecure computer, generates a random number RN3 and transmits same to thesecure terminal device. Using a common key 72 associated with theretailer smart card C1 present at the issuer's secure computer, thecommon key and the random number RN3 along with another random number,RN4 received from the secure terminal device, generated in a step 78,are enciphered to produce a session key. Similarly, at the secureterminal device in a step 76, the locally generated random number RN4along with the received random number RN3 and the common key from theretailer smart card C1 are enciphered in the step 76 to produce thesession key at the secure terminal device. As is apparent from FIG. 3, asession key is required at the secure terminal device as well as to theissuer's secure computer. Information in steps 80, 82 can be transmittedbetween the customer's smart card, C2 and the issuer's secure computerafter enciphering and deciphering using the session key. This is abidirectional data transmission.

Session Termination

12) Customer Smart Card Handover

The Customer may now remove his smart card from the Secure Terminaldevice and begin to use it.

13) Termination of Communications Session

The communications session with the Central Administration System is nowterminated, which involves erasure of all session keys that were beingused.

14) Breaking of Communications Link

The communications link with the Central Administration System may nowbe broken, or left open for use in the personalisation of other smartcards.

Modification of Data on Customer smart cards

There may be a need to modify some of the secure data on the Customer'ssmart card, at some stage after personalisation. This can beaccomplished by using exactly the same method, but varying the data thatis written to the Customer smart card during the "Smart Card Set Up"step.

With respect of FIG. 4, the secure terminal device STE7 includes atamper-resistant programmable device 90 which in turn receivesinformation from a key pad 92, displays information on a display 94 andis coupled to a smart card read/writer 96. It communicates with a dataterminal device DTE6 via a serial communications link.

An Example of Practical Implementation

To take a specific example, the GSM digital mobile telephone networkrelies upon smart cards called Subscriber Identity Modules (SIMs),inserted in mobile telephone handsets to authenticate users as validsubscribers to the network. It also subsequently uses the SubscriberIdentity Module to generate a different session key for each phone callmade. This session key is used to encipher all data, such as voice data,transmitted from, and to, that mobile telephone during that call. Inorder to operate, therefore, each Subscriber Identity Module must beindividually initialised to contain unique, identifying information andcryptographic keys prior to issue to a subscriber.

Each Retailer is provided with the following:

a Personal Computer (Data Terminal device);

a secure, tamper-resistant PIN pad (Secure Terminal device), whichincorporates a smart card reader;

a Retailer smart card, already personalised by the Issuer and set up tocontain:

a Retailer Secret Code known only to the Retailer;

cipher keys known only to the Issuer, in a file protected by an IssuerSecret Code from general access;

a stock of unpersonalised blank Subscriber Identity Modules, that areprotected from general access by a Manufacturing Secret Code.

When a prospective new Subscriber to the network approaches the Retailerto open a subscription, the Retailer establishes a communications linkwith the Central Administration System, using his Retailer smart card toauthenticate himself, and to authenticate the Central AdministrationSystem, and to establish session keys between the Secure Terminal deviceand Central Administration System, and between the Data Terminal deviceand Central Administration System.

The Retailer then enters the new Subscriber's personal, and financialdetails into the Data Terminal device, where they are enciphered usingthe Central Administration System-Data Terminal device session key andsent to the Central Administration System. In the Central AdministrationSystem, the details are deciphered and used to run a credit check on thenew Subscriber. If this is successful, the Retailer is notified, bymeans of an enciphered message sent from the Central AdministrationSystem to the Data Terminal device, that personalisation can proceed.

The Retailer selects a Subscriber Identity Module from his stock,depending on Subscriber preference, and the type of mobile telephone theSubscriber will use. He inserts the Subscriber Identity Module in theSecure Terminal device and the personalisation data is sent from theCentral Administration System, enciphered under the CentralAdministration System-Secure Terminal device session key. This data isdeciphered in the Secure Terminal device before being written to theSubscriber Identity Module. This data includes instructions on thedirectory and file structures to be set up in the Subscriber IdentityModule, as well as the information that is to be written to certain ofthese files, and to other locations in the Subscriber Identity Module.Data of particular note that is written to the Subscriber IdentityModule at this time is:

the Subscriber's unique International Mobile Subscriber Identification(IMSI) number;

the authentication key (Ki);

the Subscriber Identity Module Service Table, which defines which of theavailable network services the Subscriber has actually accepted;

the PLMN Selector, which sets up an initial order of preference for theselection of network, when the Subscriber is out of range of his homenetwork.

Once the Subscriber Identity Module has been set up, the Subscriber mayenter his PIN Code (which will be his personal Secret Code protectingaccess to the Subscriber Identity Module) into the Secure Terminaldevice, which writes it to the Subscriber Identity Module. He may alsoenter his PIN unblocking key which is also written to the SubscriberIdentity Module for use in the event the user forgets his PIN code.

The telephone number of the Subscriber is then communicated, encipheredunder the Central Administration System-Data Terminal device sessionkey, from the Central Administration System to the Data Terminal device.The Retailer informs the Subscriber of the number, prints out a recordof the entire transaction, and hands the new Subscriber his SubscriberIdentity Module. The Subscriber is then in a position to use thenetwork.

At this point all communications sessions are terminated by the erasureof the session keys and the communications link may be broken.

Since all information written to the Subscriber Identity Moduleoriginated from the Central Administration System, the CentralAdministration System holds a complete record of what is stored on theSubscriber Identity Module, as well as personal, financial and otherSubscriber information. It is therefore able to route calls to theSubscriber, allocate charges correctly as they are incurred, and issuebills.

We claim:
 1. A method for securely writing confidential data fromissuer's secure computer to a customer smart card presented to a secureterminal device with smart card reader/writer connected to a retailer'sdata terminal device at a remote location, including the steps of:(a)establishing a communications link between the data terminal device andthe secure computer; (b) authenticating the retailer to the issuerby:(i) presenting a retailer smart card to the secure terminal devicereader/writer and establishing access to information stored in the smartcard by entering a retailer secret code into the secure terminal deviceto unlock the retailer smart card (ii) reading data from the unlockedretailer smart card and sending only information pertaining to theidentity of the retailer smart card to the secure computer; (iii)generating and sending from the secure computer a first random number tothe secure terminal device; (iv) enciphering the first random number atthe secure terminal device using a cipher key read from the unlockedretailer smart card, the cipher key having a value unrelated to theretailer secret code, and sending the enciphered first random numberback to the secure computer; (v) comparing the retailer smart cardidentification data with data stored in the secure computer to identifythe retailer smart card, then retrieving a cipher key stored in thesecure computer associated with the identification data and encipheringthe first random number with the cipher key; and (vi) comparing theenciphered first random number received from the secure terminal devicewith the enciphered first random number generated in the secure computerto authenticate the retailer when the values of the enciphered firstrandom numbers are identical; (c) establishing a mutual session key forenciphering data transfer between the secure terminal and the securecomputer after authentication of the retailer to the issuer has beeneffected, the mutual session key being generated by using a common keystored in the secure computer and the retailer smart card; (d)retrieving the retailer smart card and subsequently presenting thecustomer smart card to the secure terminal device; (e) enciphering atthe secure computer, the confidential data to be written to the customersmart card using the mutual session key and sending the encipheredconfidential data to the secure terminal device; and (f) deciphering atthe secure terminal device, the enciphered confidential data using themutual session key and writing the confidential data on to the customersmart card.
 2. A method according to claim 1 including, after step (b),the step of(g) authenticating the issuer to the retailer by performingan enciphered challenge-response including:(i) generating at the secureterminal device a second random number, sending the second random numberto the secure computer, and enciphering the second random number using acipher key read from the unlocked retailer smart card; (ii) using theidentification data of the retailer smart card, for the purpose ofretrieving the cipher key stored in the secure computer associated withthe identification data, enciphering the second random number using thecipher key and sending: the enciphered second random number back to thesecure terminal device; and (iii) comparing the enciphered second randomnumber received from the secure computer with the enciphered secondrandom number generated in the secure terminal device to authenticatethe issuer when the values of the enciphered second random numbers areidentical.
 3. A method according to claim 1 or claim 2, wherein thesession key is established by the secure computer generating and sendinga first random number to the secure terminal device, the secure terminaldevice generating a second random number and sending the second randomnumber to the secure computer, the secure computer and the secureterminal device each enciphering the combined product of the two randomnumbers using the common key stored in the secure computer and theretailer smart card to generate the session key.
 4. A method accordingto claim 1, wherein the confidential data to be written on the customersmart card is an issuer secret code which enables locking and unlockingof the customer smart card, the issuer secret code being required tounlock the card to accept data.
 5. A method according to claim 4,wherein the data also comprises a directory and file structures andother consumer specific data.
 6. A method according to claim 1, whereina second session key is established for enciphering traffic between thedata terminal device and the issuer's secure computer in a manneranalogous to the establishment of the session key for encipheringtraffic between the secure terminal device and the secure computer.
 7. Asystem for securely writing confidential data from an issuer to acustomer smart card in a remote location comprising:an issuer's securecomputer containing data pertaining to the identification of a pluralityof retailer smart cards and respective associated cipher keys; aretailer data terminal device at the remote location selectively incommunication with the secure computer by means of a communicationslink; a secure terminal device at the remote locating including a smartcard reader/writer, selectively in communication with the securecomputer via the data terminal device; a retailer smart card containingdata required to authenticate the retailer to the issuer including aretailer secret code to enable unlocking of the smart card upon positivecomparison, with a secret code inputted into the secure terminal device,data pertaining to the identity of the smart card, a cipher key toencipher an authentication challenge generated by the secure computerand sent to the secure terminal device, and data required to establish asession key for enciphering traffic between the secure terminal deviceand the secure computer including a common cipher key stored in theretailer smart card and the secure computer; and a customer smart cardable to accept the confidential data, when presented to the secureterminal device, sent from the computer to the secure data terminalafter being deciphered using the session key.
 8. A secure terminal whichcan be coupled to a remote computer, and a data link, intended for usewith first and second, different, authorization cards comprising:aprogrammed processor; an input device coupled to said processor; and acard reader/write coupled to said processor wherein said processorincludes means for reading a first indicium from a first card and asecond indicium entered via said input device and for comparing same,said processor including means, responsive to said comparing for readinga third, identifying, indicium from said first card and for transmittingsame to the remote computer and for receiving a random number responsefrom the remote computer, associated with said identifying indicium, andfor reading a fourth, key indicium from the first card for combiningsaid random numeric response with said key indicium thereby producing anenciphered random numeric response sent to the remote computer forauthentication, wherein said processor includes means for establishing adifferent transaction enciphering key in response to said authenticationand wherein said processor includes means for reading a second card andfor authorizing transactions using said transaction key and anidentifying indicium carried by said second card and not entered by saidinput device.
 9. A terminal as in claim 8 wherein said processorincludes means for entering onto said second card a user specifiedidentifying indicium different from said transaction enciphering key.10. A terminal as in claim 8 wherein said processor includes means forterminating communication with the remote computer and wherein saidtransaction enciphering key is erased in response to said termination.